
NSA/CSS Threat Operations Center (NTOC) 
NTOC Technology Development 
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(U) NTOC 




• (U//FOUO) Operates under both SIGINT and 
Information Assurance authorities 

- Leverage SIGINT, IA, OSINT 

• (U//FOUO) Coordinates Integrated Cyber Operations 

- V2: Analysis 

- V3: Operations 

- V4: Technology Development Support 

• V45: Technology Development Division 
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(IT V45 - Projects 

• (U//FOUO) TREASUREMAP 

- Massive Internet mapping, exploration, and 
analysis engine 

• (U//FOUO) PACKAGEDGOODS 

- Globally dispersed traceroute generators 

• (U) Other Projects 
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(U) What is TREASUREMAP? 



(U//FOUO) Capability for building a near real-time, interactive 
map of the global internet. 



Map the entire Internet - Any device*, anywhere, all the time 




(U//FOUO) We enable a wide range of missions: 

• Cyber Situational Awareness - your own network plus adversaries’ 

• Common Operation Pictures (COP) 

• Computer Attack/Exploit Planning / Preparation of the Environment 

• Network Reconnaissance 

• Measures of Effectiveness (MOE) 



(* limited only by available data) 
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(U) TREASUREMAP 

• (U//FOUO) Continual generation of global Internet 
map, IPv4 and IPv6 (limited) 

• (U//FOUO) Focus on logical layers (router and 
autonomous system), but touches physical, data 
link, and application layers 




• (U) Its Huge. 






N. 






TS//SI//REL TO USA, FVEY 



TS//SI//REL TO USA, FVEY 




(U) Current State 




* (U//FOUO) Data Sources 

- Open Source Intelligence (OSINT) * & Academic 

- Commercially Acquired 

- SIGINT 

- Information Assurance 

* (U//FOUO) Available on multiple networks to many user groups 

- NSAnet - TREASUREMAP (TM) 

• 5- Eyes partners 

• JWICS users - USG 1C 

- SIPRNet - USG 1C /DoD - TREASUREMAP-SIPR (TM-S) 

* (U) New capabilities delivered every 90 days 

* (U) 30+ Gigabytes of additional data added and replaced per day 



(* OSINT - Open Source / Publicly available Internet Meta-Data) 
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(U) Data Sources 

Feed the Machine 
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(U) OSINT, Commercial & Academic 




• (U//FOUO) BGP 

- Gives the 300,000 foot view of the Internet 

- Defines routing across Autonomous Systems (AS) 

- Origination of IP address spaces (Prefixes) to AS 

- How the Internet gets knowledge of itself (IP address space) 

- Commericaly purchased Data Sources 

• Akamai, SOCIALSTAMP, SEASIDEFERRY 

- Open Source 

• Public BGP, IXP (RIPE), APNIC, ROUTEVIEWS, CERNET 






N. 
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/■ 




(U OSINT, Commercial & Academic 




• (U//FOUO) Traceroutes 

- Router -to- router links to targeted IP addresses 

- Creates links between networking devices (routers) 

- TM ingests approx. -16-18 million traceroutes daily 

- Gives the 300 foot view, router-to-router infrastructure 

- Data Sources 

• ARK - CAIDA’s Archipelago Project * 

• PACKAGEDGOODS * 

• SOCIALSTAMP 

• RUSTICBAGGAGE 

• User Input 
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(U OSINT, Commercial & Academic 




• (U) Registries - Information on netblock and AS ownership 

• (U) DNS - IP address to domain name matching 

• (U) Operating System (OS) Fingerprints 

- Software and Operating System characteristics of networked 
devices 

30-50 million unique IP addresses represented per day 
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(U//FOUO) Traceroutes: PACKEGEDGOODS 




* (U//FOUO) Collects "network measurement” data, on public internet 

* (U) Random traceroutes and user requested 

• (U//FOUO) PG-GTR 

- Currently using ^-700 public traceroute sites to perform operations 

- High target (full IP addresses) 

- Capable of -4K IPv4 and IPv6 traceroutes daily 

• (U//FOUO) PG-Server 

- High volume: -6.5 million traceroutes per day 

- Low targ etin g : I Pv4 /24 netbl ocks or higher 

- Can do whole ASes, Country, Netblocks 

- 13 covered servers in unwitting data centers around the globe 

* Asia: Malaysia, Singapore, Taiwan, China (2), Indonesia, Thailand, India 

* Europe & Russia: Poland, Russia, Germany, Ukraine, Latvia, Denmark 

* Africa: South Africa 

* South America: Argentina, Brazil 
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S' 



(U) Coming Soon! 




* (U//FOUO) PG-Server 2.0 

- Tasking of full IP address 

- Choice oftraceroute types: 

* ICMP 

* ICMP Paris 

* TCP 

* UDP 

- Choice of PG-SVR (for source of trace route) 

- Auto- refresh 



* 
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(U) Traceroutes - CAIDA 

* (U) University of California, San Diego 

- Cooperative Association for internet Data Analysis 

- Archipelago measurement platform 

* (U//FOUO) TM data source: ARK 

* (U) High volume: -10 million traceroutes per day 

* (U) Random targeting (/24 netblock, BGP advertised) 

* (U) 44 Locations: Asia (5), Europe (15), Africa (2), North 
America (18), South America (2), Oceania (2) 





^ 
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J Internal Sources (Protected source?) 



:> rrJ'vA- 



- (U//FOUO) PACKAGEDGOODS - NTOC 

• (S) Clandestine traceroute and DNS processor 

- (S//SI//REL) BLACKPEARL- 

• SIGINT session 5-tupel, identified routers, routing protocols, SIGINT access points, 
{inferred SIGINT access points) 

- (S//SI//REL) LEAKYFAUCEl - 

• Flow repository of 802.11 WiFi IP addresses and clients via STUN data 

- (S//SI//REL) HYDRO CASTLE - / 

• 802.11 configuration data extracted from CNE activity in specific locations 

• {Requires HYDROCASTLE account) 

- {S//SI//REL) MASTERSHAKE - 

• FOR N SAT and WiFi collection data 

- (S//SI//REL) S- TRUCKLER - NTOC 

• IP address fingerprints and potential vulnerabilities from FORNSAT collection 




TS//SI//REL TO USA, FVEY 




(U) Internal Sources (Protected source) 



- (S//SI//REL) rOYGRIPPE- 

• Repository of VPN endpoints 

- (S//SI//REL) DISCOROUTE- / 

• Router configuration files from CNE and passive SIGINT 

• NAC’s DISCOROUTE repository 

- (TS//SI//REL) VI TALA I R 2 - 

• Automated scaned IP addresses for TAO known vulnerabilities 

- (U//FOUO) IPGeoTrap- 

• Provides geolocation services for IP addresses/ranges 

- (TS//SI//REL) JOLLYROGER- / 

• Provides metadata that describes the networking environment of TAO- 
implanted Windows PCs 

• {Requires JOLLYROGER account) 

- (U//FOUO) TUTELAGE - NT< C 

• Specific alerts from intrusion detection sensors 
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Router 

Configuration 

Files 



BGP 

Advertisements 



OS 

Fingerprints 



Traceroutes 



Geolocation 



Autonomous 

System 



Router 



P Prefix 



Countr 



P Address 



Domain 

Names 



AS 

Owner 



SlGAD/CASN 



MAC Address 



Netblock 



Network 
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Yellow links denotes direct relationships between data types. 

For example, we know which AS contains a router because we can relate a router to IP Addresses, 
IP Addresses to IP Prefixes, then IP Prefixes to an AS. 

TS//S1//REL TO USA, FVEY 













IPv4 & IPv6 
Announcements 
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Stub AS: Multi-homed & Single homed 
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Potential Satellite Hops 



19 additional peers 



Graph simplified for presentation purpose 
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Registries 
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Graph simplified for presentation purpose 
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(U) Internet “flow” to a “Network” 
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Graph simplified for presentation purpose 



^[2] 



They’re color-coded by country. Big deal. 
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With Traceroute... 
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Graph simplified for presentation purpose 
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(U) ... and DNS 
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Graph simplified for presentation purpose 
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(U) IP Geolocation Data 



^Correlate IP addresses with country, latitude and longitude (via IPGeoTrap) 




ARABIA * 
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ng the SIGINT (AS Level) 



Red Links: 




Red Core Nodes: 


SIGINT Collection access points between two 




SIGINT Collection access points within AS 


ASes 
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Red Ringed Node: 

Nodes within AS are SIGINT Referenced 



Graph simplified for presentation purpose 
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(S//SI//REL) Traceroute - overlaid 

and other 



with SJGINT 



pfap i rr 



TOYGRIPPE (VPN) 







OS Fingerprints 




Router Configuration 
Router VendoriCisco 




TS/ZSLVREL TO USA, FVEY 









TS//SI//REL TO USA, FVEY 




(S//SI//REL) Known Devices 

- (S//SI//REL) Sources: DISCO ROUTE {NAC router configuration repository) 




- (S//SI//REL) Display supporting infrastructure, as configured in router 
configuration files 



• Where router accessed from 
{possible NOC?) 

• servers configured for router 
(N TP, DNS, Radius, TACACS ) 
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(S//SI//REL) Known Devices 



(S//SI//REL) Sources: DISCOROUTE (NAC router configuration 
repository) ^ 

(S//SI//REL) Router data in tables 
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(U//FOUO) 802.11 WiFi Data 




- (U//FOUO) Display and correlation of 802.11 wireless 



networks and RFC1918 clients 
- (S//SI//REL) Sources 
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(U) Communities 



- (S//SI//REL) Individual IP addresses related by a 
common attribute 

* TOR router 



• Servers (DNS, NTP, SNMP, TACACS, RADIUS) 

• Hide IP NG Proxy Servers 

• BYZANTINE HADES Infrastructure hosts/infected hosts 



- (S//SI//REL) Sources: (Varies) 

* Currently TOR router advertisements 
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(U) Country (AS Presence) 
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(U//FOUO) TREASUREMAP Workspace 




* (U//FOUO) Toolbar: Offers access to a variety of commonly used 
functions 

* (U//FOUO) Search Pane: Input search parameters 

* (U//FOUO) Advanced Search Options: Preferences for searches 

* (U//FOUO) Release my search to PG: Requesting trace routes for 
target IP addresses 

* (U//FOUO) Other Searches: Includes Router, DNS, Batch 
IP/MAC and JOLLYROGER 

* (U//FOUO) Legend: Contains all of the icons and decorations as 
seen in an active graph 

* (U//FOUO) Send Feedback: Provides a way to communicate 
questions, comments or problems to the TREASUREMAP team. 




N. 
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X 



(U//FOUO) TREASUREMAP Search Items 




1. (U//FOUO) IP Address 

2. (U//FOUO) Routers 

3. (U//FOUO) DNS (FQN) 

4. (U//FOUO) MAC address / 802.11 BSSID / 802.11 SSID 

5. (U//FOUO) IP Pre ix Range (Cl DR Notation) 

6. (U//FOUO) Registry Netblock 

7. (U//FOUO) SIGAD and/or Case Notation 

8. (U//FOUO) Country / IP Country Code 

9. (U//FOUO) Autonomous System (AS) Number 

10. (U//FOUO) Free Text 

- r - -/ V, 
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(S//SI//REL) User Interface: NAVS 
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(UFOUO) User Interface: Website 
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